Hi Viktor,
On Tue, 2 Aug 2022, Viktor Rosenfeld via clamav-users wrote:
22:51 hesk@kenny:~ $ clamscan /opt/homebrew/Cellar/node/18.7.0/bin/node
Loading: 7s, ETA: 0s [========================>] 8.62M/8.62M sigs
Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
/opt/homebrew/Cellar/node/18.7.0/bin/node: Osx.Exploit.CVE_2021_4034-9951522-1
FOUND
...
On Tue, 2 Aug 2022, G.W.Haywood via clamav-users wrote:
...
> If you can post ... a link to where you got the file, AND the MD5 ...
I’m using Homebrew to install nodejs. Below is the curl command that downloads
...
After several attempts using variations of your curl command I failed
to grab the file, so I took the tarballs (like Al - in fact I grabbed
three, the 16.x ARM and X64 versions and the 18.x ARM version) from
https://nodejs.org and simply unpacked them to a scratch directory to
scan them. The results are different from yours, see below.
On Tue, 2 Aug 2022, Viktor Rosenfeld via clamav-users wrote:
MD5 (node/18.7.0/bin/node) = bd689141b74bf1c9d897d25aa6878a85
I didn't get the same MD5 for the file
6b8627f0b1327ffee606314125862e27 node-v18.7.0-darwin-arm64/bin/node
so I wonder what's up there. As it isn't the same file that you have
I didn't bother to scan it, but see below for 'strings' etc.
On Tue, 2 Aug 2022, Maarten Broekman via clamav-users wrote:
Additionally, using the 'strings' command to get any/all ASCII
strings from the binary (yes, I know it doesn't always help) doesn't
show anything...
I don't see the same result at all:
8<----------------------------------------------------------------------
$ strings ./node-v18.7.0-darwin-arm64/bin/node | perl -ne
'if(/[a-zA-Z]{5,}/){print;}' | head -n 10
__PAGEZERO
__stubs
__stub_helper
__cstring
__const
__ustring
__oslogstring
__unwind_info
__eh_frame
__DATA_CONST
8<----------------------------------------------------------------------
Lots of strings in there.
A clamd scan of the entire directory tree found this:
node-v16.16.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
PUA.Win.Trojan.Xored-1 FOUND
node-v16.16.0-darwin-x64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
PUA.Win.Trojan.Xored-1 FOUND
node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
PUA.Win.Trojan.Xored-1 FOUND
As you can see we run with 'PUA' signatures enabled, see
https://docs.clamav.net/faq/faq-misc.html?highlight=false%20positive#what-is-pua-i-get-a-lot-of-false-positives-named-pua
and e.g. the clamscan and clamd.conf 'man' pages for more about PUAs.
This is PUA.Win.Trojan.Xored-1 (it's in 'daily'):
8<----------------------------------------------------------------------
$ sigtool --find-sigs 'PUA.Win.Trojan.Xored-1' | sigtool --decode-sigs
VIRUS NAME: PUA.Win.Trojan.Xored-1
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
8<----------------------------------------------------------------------
It's just looking for the string 'charcodeat(X)' where X is a string
of 5 or fewer characters. Pretty generic, I'm amazed that we don't
see more FPs than we do from that source.
The three files in which this is found are identical in the three archives:
8<----------------------------------------------------------------------
$ md5sum .../*/imurmurhash.min.js
52d2eb410de1c9e0758ef562289289fa
node-v16.16.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
52d2eb410de1c9e0758ef562289289fa
node-v16.16.0-darwin-x64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
52d2eb410de1c9e0758ef562289289fa
node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
$ grep -ci charcodeat
./node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
1
8<----------------------------------------------------------------------
You can easily create your own FP entries in the database, see the
documentation at
https://docs.clamav.net/manual/Signatures/AllowLists.html
When I scanned a tree using vanilla 'clamscan', nothing was found:
$ ./clamscan -ro node-v18.7.0-darwin-arm64
node-v18.7.0-darwin-arm64/bin/npm: Symbolic link
node-v18.7.0-darwin-arm64/bin/npx: Symbolic link
node-v18.7.0-darwin-arm64/bin/corepack: Symbolic link
node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/node-gyp/gyp/pylib/gyp/generator/__init__.py:
Empty file
node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/smart-buffer/docs/ROADMAP.md:
Empty file
node-v18.7.0-darwin-arm64/lib/node_modules/npm/.npmrc: Empty file
----------- SCAN SUMMARY -----------
Known viruses: 8812460
Engine version: 0.103.7
Scanned directories: 954
Scanned files: 4118
Infected files: 0
...
These archives are from 100 to 150 megabytes of code and other junk.
As the PUA signature is so generic, it would almost be surprising if
something was NOT found. If the archive comes from a reliable source,
and it's been checked to make sure that it hasn't been tampered with,
and it's more than a few days old, scans will already have been done
all over the world, with at least a dozen scanners other than ClamAV.
So unless you have your own speciality signatures I think scanning it
again will most likely be pointless. In any case the probability of
finding something really nasty is small, because if the bad actor is
the least bit competent it will be very well hidden. One example of
the sort of threat you might want to worry about:
https://www.theregister.com/2022/07/25/nodejs_prototype_pollution/
If I were going to use this stuff, that would give me pause.
HTH
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
